Hackers within the group TA577 have recently adapted to use phishing scams to steal Windows NT LAN Manager (NTLM) authentication hashes. NTLM is a protocol commonly used for authentication in Windows environments, including for user authentication, access to network resources, exchanging servers and file sharing. Launched on February 26 and 27, hackers disseminated thousands of phishing emails designed to trick users into entering their credentials on fake login pages. These emails have used a technique known as Thread Hijacking which can be a challenge to detect because the emails received are sent from a legitimate email account that has been compromised. Once the NTLM authentication hash has been obtained, these credentials allow attackers to capture NTLM hashes, which can then be used to gain unauthorised access to sensitive corporate systems and data.
The implications of the threat
This poses a significant security threat. NTLM authentication is widespread in Windows environments, making it a prime target for attackers. If successful, these phishing attacks could lead to unauthorised access to business’s network, systems, and sensitive data. As a result financial losses, damage to reputation, and potential regulatory penalties are expected if data is stolen. In particular, recovering from a security breach can be time-consuming and costly. The business may experience operational disruptions, downtime, and productivity losses while addressing the security incident and implementing remediation measures. Finally, once in a business’s system hackers can use stolen NTLM hashes to move laterally and compromise other systems and accounts. This can result in widespread network infiltration, making it challenging for the business to contain and mitigate the attack.
How could this be prevented?
It's crucial for UK businesses to prioritise cyber security awareness training for employees to recognise and avoid phishing attempts. Implementing multi-factor authentication (MFA) can provide an additional layer of security to protect against NTLM hash theft. Additionally, regular security assessments and penetration testing can help identify and address vulnerabilities before they can be exploited by attackers. Overall, vigilance, employee education, and robust security measures are essential for UK businesses to mitigate the risks posed by these phishing attacks targeting NTLM authentication hashes.
